More Prevention then detection? (Score 2, Interesting)

The best way is always prevention, 1. If they have to use IE we make the default ZONE setting for Internet High and Medium for everything else including local zone and trusted. We have yet to find (Business) applications that this breaks. Yet no pop-ups no spyware - works as well as firefox minus tabs. They will have to add banking and other ActiveX/Java/Download type application sites to the trusted zone. Any MS box I use this is the first thing I setup. (assumming I can't install Firefox) 2. Patch Management (Many Spyware and tojens use exploits to install.) Patchlink is good multi-platform choice. www.patchlink.com but there are many others. 3. Web Scanning solution. (e.g, ISS, Mcafee, others?) Scan for ActiveX and Java Exploits on Web traffic. 4. PestPatrol now has a solution that does not require a client. I asume others will have simular solutions soon if they already don't